Configure macOS for smart card-only authentication

Smart card authentication provides strong two-factor authentication in macOS Sierra and later. macOS High Sierra 10.13.2 and later support smart card-only authentication for the mandatory use of a smart card, which disables all password-based authentication.

This article is intended for system administrators who set security policy in enterprise environments that require smart card authentication.

Enable smart card-only login

Make sure that you carefully follow these steps to ensure that users will be able to log in to the computer.

Pair a smart card to an admin user account or configure Attribute Matching.

If you’ve enabled strict certificate checks, install any root certificates or intermediates that are required.

Confirm that you can log in to an administrator account using a smart card.

For more information about using smart card services, see the macOS Deployment Guide or open Terminal and enter man SmartCardServices.

Disable smart card-only authentication

If you manually manage the profiles that are installed on the computer, you can remove the smart card-only profile in two ways. You can use the Profiles pane of System Preferences, or you can use the /usr/bin/profiles command-line tool. For more information, open Terminal and enter man profiles.

If your client computers are enrolled in Mobile Device Management (MDM), you can restore password-based authentication. To do this, remove the smart card configuration profile that enables the smart card-only restriction from the client computers.

To prevent users from being locked out of their account, remove the enforceSmartCard profile before you unpair a smart card or disable attribute matching. If a user is locked out of their account, remove the configuration profile to fix the issue.

If you apply the smart card-only policy before you enable smart card-only authentication, a user can get locked out of their computer. To fix this issue, remove the smart card-only policy:

Turn on your Mac, then immediately press and hold Command-R to start up from macOS Recovery. Release the keys when you see the Apple logo, a spinning globe, or a prompt for a firmware password.

Select Disk Utility from the Utilities window, then click Continue.

From the Disk Utility sidebar, select the volume that you're using, then choose File > Mount from the menu bar. (If the volume is already mounted, this option is dimmed.) Then enter your administrator password when prompted.

Quit Disk Utility.

Choose Terminal from the Utilities menu in the menu bar.

Delete the Configuration Profile Repository. To do this, open Terminal and enter the following commands.
In these commands, replace <volumename> with the name of the macOS volume where the profile settings were installed. rm /Volumes/<volumename>/var/db/ConfigurationProfiles/MDM_ComputerPrefs.plistrm /Volumes/<volumename>/var/db/ConfigurationProfiles/.profilesAreInstalledrm /Volumes/<volumename>/var/db/ConfigurationProfiles/Settings/.profilesAreInstalledrm /Volumes/<volumename>/var/db/ConfigurationProfiles/Store/ConfigProfiles.binaryrm /Volumes/<volumename>/var/db/ConfigurationProfiles/Setup/.profileSetupDone

When done, choose Apple () menu > Restart.

Reinstall all the configuration profiles that existed before you enabled smart card-only authentication.

Users can use their smart card to authenticate over SSH to the local computer or to remote computers that are correctly configured. Follow these steps to configure SSHD on a computer so that it supports smart card authentication.

Update the /etc/ssh/sshd_config file:

Use the following command to back up the sshd_config file:sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup_`date "+%Y-%m-%d_%H:%M"`